All Apps and Add-ons

How to use Timewrap over a dynamically found day ?



I'm trying to use Timewrap command dynamically. Indeed, in the documentation, it is written you can filter the date:

.... | timechart count span=1h | timewrap w | where strftime(_time, "%A") == "Wednesday"

This works on my data set, but when I want "Wednesday" to be "the day it was 1 hour before from now", it doesn't work. Here is what I do:

| timechart count span=1h   | eval time_lasthour=relative_time(now(), "-1h@h" ) | eval day_lasthour=strftime(time_lasthour,"%A")  | timewrap  w |  where strftime(_time, "%A") == day_lasthour

Although the variable "day_lasthour" contains the right day, it isn't applied in the WHERE clause... Any idea to make the variable "day_lasthour" work in the WHERE clause ?

Thank you

0 Karma


Try moving timewrap w to the end

0 Karma

Splunk Employee
Splunk Employee

I created a set of evals contained in a macro for week over week comparison. Here is an example search you can reverse engineer. The magic happens in evals -- week[1-4] and bucket_range. date_wnum is to correctly order the days. Then you simply add bucket_range to your by clause.

earliest=-28d@d latest=-0d@d index=main sourcetype=access_combined status=404 
| fields date_wday user 
| eval date_wday=if(isnull(date_wday),lower(strftime(_time,"%A")),date_wday)
| eval week1=relative_time(now(),"-7d@d") 
| eval week2=relative_time(now(),"-14d@d") 
| eval week3=relative_time(now(),"-21d@d") 
| eval week4=relative_time(now(),"-28d@d")
| eval bucket_range=case( week1 <= _time, strftime(week1,"%m-%d")+" - "+strftime(now()-86400,"%m-%d"), week2 <= _time, strftime(week2,"%m-%d")+" - "+strftime(week1-86400,"%m-%d"), week3 <= _time, strftime(week3,"%m-%d")+" - "+strftime(week2-86400,"%m-%d"), week4 <= _time, strftime(week4,"%m-%d")+" - "+strftime(week3-86400,"%m-%d"))
| eval date_wnum=case(date_wday=lower(strftime(now(),"%A")),0,date_wday=lower(strftime(now()+86400,"%A")),1,date_wday=lower(strftime(now()+(86400*2),"%A")),2,date_wday=lower(strftime(now()+(86400*3),"%A")),3,date_wday=lower(strftime(now()+(86400*4),"%A")),4,date_wday=lower(strftime(now()+(86400*5),"%A")),5,date_wday=lower(strftime(now()+(86400*6),"%A")),6) 
| eval date_wday=date_wnum+date_wday
| chart count(user) AS count over date_wday by bucket_range | eval date_wday=replace(date_wday,"\d","") | rename date_wday AS weekday

alt text


I think you'll have to evaluate all your fields first, extract what date you want, then create a search with splunk fields "earliest" and "latest", then apply your timechart to that search.

0 Karma


Try putting the timewrap after the where command. Just a hunch.

0 Karma


No luck...

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...